Google Authenticator to get end-to-end encryption ‘down the line’

On Wednesday, April 26th, we shared how Google’s Authenticator application was discovered to not offer end-to-end encryption (E2EE). Earlier this week, Google announced that users would now be able to sync Authenticator to a Google account and use it across multiple devices.

However, when security researchers and app developers for the software company Mysk dug deeper into the change, they noticed that the underlying data wasn’t end-to-end encrypted. This opened up the possibility for Google getting a glimpse at users’ apps and data for the purpose of targeted ads.

Now, Google product manager Christiaan Brand has responded to criticism from security researchers. He said, “we have plans to offer E2EE for Google Authenticator down the line.”

(3/4) To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line.

— Christiaan Brand (@christiaanbrand) April 26, 2023

With the Authenticator app synced to Google Accounts, users can easily sign into their accounts on new devices. Although this feature is a welcome addition, it raises security concerns, as hackers who breach a user’s Google account could gain access to numerous other accounts through the Authenticator app. If the new update featured E2EE, hackers and third parties, including Google, would not be able to see this sensitive information.

Brand added that while E2EE is a powerful feature, it comes at a cost. Google encrypts “data in transit, and at rest, across our products, including in Google Authenticator,” adding E2EE would come at the “cost of enabling users to get locked out of their own data without recovery.”

It is currently unknown when Google will offer E2EE for the Authenticator app.

Image credit: Shutterstock

Source: @christiaanbrand Via: The Verge